Systems and methods for use in authenticating users in connection with network transactions

ABSTRACT

Systems and methods are provided for use in authenticating a user in connection with a network transaction by the user, based on a biometric combination. One exemplary method includes receiving, by a computing device, an authorization request for a network transaction by a user where the authorization request includes biometric data representing at least a first biometric of the user and a second biometric of the user and transmitting the biometric data to a biometric registry, thereby permitting the biometric registry to verify the biometrics data. The method then also includes converting, by the computing device, the biometric data to a personal identification number (PIN) specific to the biometric data when the biometric data is verified and appending, by the computing device, the PIN to the authorization request.

CROSS-REFERENCE TO RELATED APPLICATION

This application is a continuation-in-part of U.S. patent application Ser. No. 15/646,292 filed Jul. 11, 2017. The entire disclosure of the above application is incorporated herein by reference.

FIELD

The present disclosure generally relates to systems and methods for use in authenticating users to accounts in connection with network transactions, and in particular, to authenticating the users based on biometric combinations and/or biometric personal identification numbers (PINs) and to assignment of the biometric combinations and/or the biometric PINs to the users.

BACKGROUND

This section provides background information related to the present disclosure which is not necessarily prior art.

Consumers often use payment accounts to purchase products (e.g., goods and services, etc.) from merchants. When using the payment accounts, the consumers are known to be invited, or required, to authenticate themselves to the payment accounts (or corresponding payment devices) at the time of the purchases. The authentication of a consumer may be based on presentation of photo identification (e.g., a driver's license, a passport, etc.). Alternatively, the authentication may be based on entry of a personal identification number (PIN), etc., or presentation of a biometric, where the PIN or the biometric is then confirmed for the consumer's payment account (e.g., by being a PIN associated with the payment account, or by comparison of the biometric to a reference biometric associated with the payment account, etc.). When the consumer is authenticated, one or more transactions directed to the consumer's payment account may be initiated and/or approved by an issuer or other entity associated with the payment account.

DRAWINGS

The drawings described herein are for illustrative purposes only of selected embodiments and not all possible implementations, and are not intended to limit the scope of the present disclosure.

FIG. 1 illustrates an exemplary system of the present disclosure suitable for use to authenticate a consumer to a payment account, based on presentation of a biometric personal identification number (PIN);

FIG. 2 is a block diagram of a computing device that may be used in the exemplary system of FIG. 1;

FIG. 3 is an exemplary method that may be implemented in the system of FIG. 1 for use in registering a consumer for a biometric PIN;

FIG. 4 is an exemplary method that may be implemented in the system of FIG. 1 for use in authenticating the consumer in connection with a payment account transaction by the consumer, based on presentation of the biometric PIN, for example, as registered to the consumer in the method of FIG. 3;

FIG. 5 is an exemplary method that may be implemented in the system of FIG. 1 for use in enrolling a biometric combination for authenticating a consumer to a payment account and/or for use in developing at least one rule associated with the payment account; and

FIG. 6 is an exemplary method that may be implemented in the system of FIG. 1 for use in authenticating a consumer in connection with a transaction by the consumer at a merchant, based on a biometric combination applied to the consumer's payment device and/or the POS terminal.

Corresponding reference numerals indicate corresponding parts throughout the several views of the drawings.

DETAILED DESCRIPTION

Exemplary embodiments will now be described more fully with reference to the accompanying drawings. The description and specific examples included herein are intended for purposes of illustration only and are not intended to limit the scope of the present disclosure.

Payment accounts are often used by consumers (broadly, users) to fund transactions for products (e.g., goods and/or services, etc.) at merchants (e.g., payment account transactions, etc.). In connection with the transactions, the consumers are often authenticated to the payment accounts and/or to payment devices associated therewith, whereby the merchants and/or issuers associated with the payment accounts gain confidence in approving and/or permitting the transactions. In certain implementations, mechanisms by which consumers are authenticated may be cumbersome and/or subject to simulation and/or theft by fraudsters. Uniquely, the systems and methods herein permit consumers to be authenticated through biometric personal identification numbers (PINs), which include multiple biometrics of the consumers in sequence (i.e., in order). In particular, a consumer registers for a biometric PIN, where each biometric associated with the biometric PIN is assigned a character (e.g., a number, etc.). Then, in connection with a transaction using his/her payment account, the consumer is prompted to enter the biometric PIN, whereby the consumer enters his/her PIN for the payment account by sequentially presenting the biometric corresponding to each character of his/her PIN. Each received biometric is then verified and, once verified, converted to the character assigned thereto. When all received biometrics are verified, the characters then form an actual PIN, which is provided to an issuer of the consumer's payment account as part of the approval process for the transaction. Specifically, when the actual PIN matches the PIN associated with the payment account, the consumer is authenticated and the transaction is permitted to continue (e.g., is permitted to be approved by the issuer, etc.). In this manner, the authentication of the consumer is strengthened because it relies on biometrics and, further, because it requires not just one biometric but a sequence of multiple biometrics as representative of a PIN, thereby improving fraud prevention associated with the payment account.

Additionally, or alternatively, the systems and methods herein uniquely permit consumers to be authenticated through biometric personal identification numbers (PINs), which include multiple biometrics of the consumers (e.g., biometric combinations, etc.). In particular, a payment device, such as, for example, a credit card, a debit card, etc., (or a point-of-sale (POS) terminal) includes one or more biometric readers that accepts multiple biometrics simultaneously (at the same time, or at nearly or substantially the same time (e.g., within less than about five seconds of each other, within less than about three seconds of each other, within less than about one second of each other, etc.). As such, when a consumer attempts a transaction, the consumer positions two biometrics over the biometric reader(s), whereby multiple biometrics are captured and included in an authorization request for the payment account transaction, as a biometric combination. The biometrics are then verified, and converted to the associated PIN (generally, where different biometric combinations would be associated with different PINs). The associated PIN is then passed to the issuer of the payment account (in the authorization request) whereby the issuer may apply one or more rules, specific to the associated PIN, to the transaction (e.g., a transaction limit rule, a merchant restriction rule, etc.). In this manner, biometric combinations may be used by the consumer, in lieu of a single PIN, to provide enhanced transaction security and/or whereby multiple different PINs may be employed and associated with different rules, while the consumer is not tasked with remembering different numerical PINs.

FIG. 1 illustrates an exemplary system 100 in which one or more aspects of the present disclosure may be implemented. Although the system 100 is presented in one arrangement, other embodiments may include systems arranged otherwise depending, for example, on the manner in which transactions are authenticated, on the manner in which the payment network interacts with (or includes) a registry of biometrics, etc.

As shown in FIG. 1, the system 100 generally includes a merchant 102, an acquirer 104 associated with the merchant 102 (and configured to process purchase transactions (broadly, network transactions) performed at the merchant 102), a payment network 106, an issuer 108 configured to issue payment accounts to consumers, and a biometric registry 110 (all broadly entities), each coupled to (and in communication with) network 112. The network 112 may include, without limitation, a local area network (LAN), a wide area network (WAN) (e.g., the Internet, etc.), a mobile network, a virtual network, and/or another suitable public and/or private network capable of supporting communication among two or more of the parts illustrated in FIG. 1, or any combination thereof. For example, the network 112 may include multiple different networks, such as a private payment transaction network made accessible by the payment network 106 to the acquirer 104 and the issuer 108 and, separately, the public Internet, which is accessible as desired to the merchant 102, the payment network 106, the registry 110, etc.

The merchant 102 is configured to offer and sell products (e.g., goods, services, etc.) to consumers, including, for example, consumer 114. The products may include any suitable and/or desired products within the scope of the present disclosure. In connection therewith, the merchant 102 is generally associated with one or more physical locations (i.e. a physical storefront, etc.) and/or one or more network-based locations (e.g., websites, mobile applications, etc.) (i.e., a virtual storefront, etc.), through which the products are offered for sale and/or are sold to consumers, including the consumer 114.

The consumer 114 in the system 100, as a person, includes conventional biometrics, such as, for example, fingerprints 116 and palm prints, etc. The fingerprints 116, for example, are substantially unique to the consumer 114, and thus, may be used to authenticate the consumer 114 as compared to other consumers and/or persons attempting to use the payment account issued to the consumer 114. In particular, as shown in the dotted circle in FIG. 1, the consumer 114 has a right hand 118 with five fingers (i.e., a thumb and index, middle, ring, and pinky fingers), where each finger is associated with a fingerprint 116. The consumer 114 also has a left hand (not shown) with five fingers, and with each finger of the left hand also associated with a fingerprint 116. As such, the consumer 114 has ten unique fingerprints 116 (broadly, biometrics) that may potentially be used as described herein. It should be appreciated that while the embodiments herein are described with reference to the consumer's fingerprints 116, other biometrics may also (or additionally) be used to provide biometrics, a biometric combination, or a biometric PIN as described herein (e.g., retina scans, facial scans, voice scans, etc., in combination and/or in combination with the fingerprints 116, or separate therefrom; etc.).

The consumer 114 is also associated with a payment account issued by the issuer 108. The payment account is associated with a payment device 124, which is also issued, in this embodiment, by the issuer 108 and, generally, is in the possession of the consumer 114. The payment device 124 is often presented in connection with a payment account transaction to permit the merchant 102 or other entity to conveniently identify the payment account.

In this exemplary embodiment, the payment device 124 is generally a payment account device in the form of a credit card, a debit card, a smart card, a chip card, or other suitable card-type device, but may be otherwise in other embodiments. The illustrated payment device 124 includes two biometric readers 126 and 128, each generally aligned on opposite planar sides 130, 132 of a card structure 134 forming the payment device 124 (although such alignment is not required in all embodiments). In the illustrated embodiment, the biometric reader 126 is located on a front side 130 of the card structure 134, and the biometric reader 128 is located on a back side 132 of the card structure 134. The biometric readers 126 and 128 are configured as fingerprint readers, whereby the consumer 114 may hold the payment device 124 with fingers of his/her right hand 118 (or left hand) placed on each of the biometric readers 126 and 128 (e.g., when the card structure is held between the fingers, etc.). The payment device 124 is configured, then, to capture fingerprints 116 from the fingers simultaneously (i.e., at the same time, or at substantially at the same time) (e.g., within less than about five seconds of each other, within less than about three seconds of each other, within less than about one second of each other, etc.), via the biometric readers 126 and 128. The illustrated payment device 124 also includes a processor 136 formed with and/or coupled to the card structure 134 (thereby including EMV chip-card technology in the payment device 124) (shown on the front side 130 of the card structure 134 in FIG. 1) and a magnetic stripe 138 formed with and/or coupled to the back side of the card structure 134 (although these are not required in all embodiments), both of which are configured to store various data about the consumer's payment account. And, while not shown in FIG. 1, the payment device 124 may further include a memory associated with and/or in communication with the processor 136 for use as described herein.

While two biometric readers 126 and 128 are included in the payment device 124 of FIG. 1, it should be appreciated that the payment device may include a single input device comprising the two biometric readers 126 and 128, which is then configured to capture multiple biometrics simultaneously, or it may include more than two biometric readers, etc. In addition, in some embodiments the biometric readers 126 and 138 may be located on the same side of the payment device 124 (e.g., both located on the front side 130 of the card structure 134 of the payment device 124, etc.). What's more, the biometric reader(s) included in payment device 124 may capture other biometrics beyond fingerprints in other embodiments.

The registry 110 in the system 100 includes a registry of biometrics for multiple persons, including, in this example, the consumer 114. The registry 110 may include, for example, a government registry associated with a social service, or otherwise, which relies on and/or stores biometric information about different participants and/or registrants to ensure the social service or other service or benefit derived from authentication of the person, by the registry 110, is provided to the appropriate person. The registry 110 generally includes, at least in this embodiment, a data structure, which is organized by registry identifiers for the persons (e.g., unique identification (UID) numbers for the persons, such as Aadhaar numbers associated with the Unique Identification Authority of India (UIDA), or other suitable identifiers, etc.). Each of the registry identifiers is associated with a biometric data set (i.e., reference biometric data) for a person (e.g., for the consumer 114, etc.) (e.g., as retrieved for or obtained from the person by the authority responsible for the registry 110, etc.), whereby the data structure includes multiple biometric data sets for multiple persons. In connection therewith, each registry identifier is provided to a person to which it relates (e.g., the consumer 114, etc.) and is associated with the person's biometric data set included in the data structure, so that the person may provide his/her registry identifier in connection with requesting services from a desired provider, for example, and authentication of the person in connection therewith.

It should be appreciated that the registry 110 may include fingerprint data, or other types of biometric data (e.g., the other types of biometric data described above or otherwise herein, other biometric data, etc.) for use as described herein (e.g., for use as reference biometric data, etc.). And, it should be appreciated that while the registry 110 is illustrated in FIG. 1 as separate from the payment network 106 and separate from authentication engine 120, the registry 110 may be incorporated and/or integrated at least partly in one or both of these parts of the system 100 in other system embodiments (e.g., as a registry generated and facilitated by the payment network 106, etc.).

With continued reference to FIG. 1, the authentication engine 120 of the system 100 is configured, by executable instructions, to operate as described herein. In addition, the authentication engine 120 is shown in FIG. 1 as a standalone part of the system 100, and is generally consistent with computing device 200 described below. Alternatively, however, and as indicated by the dotted lines in FIG. 1, the authentication engine 120 may be incorporated into (or associated with), in whole or in part, the payment network 106 or the issuer 108. In one specific embodiment, for example, the authentication engine 120 is incorporated, in part, in the payment network 106 (e.g., to map the consumer's fingerprints to numbers, etc.) and in part in the issuer 108 (e.g., to compare the mapped numbers to an actual PIN associated with the consumer's payment account, etc.), etc. In addition, the authentication engine 120 is coupled to a data structure 122, which may be standalone from the authentication engine 120 or which may be incorporated in whole, or in part, with the authentication engine 120. The data structure 122 includes, at the least, maps defining assignments between fingerprints, for example, and characters (e.g., numbers, letters, etc.) assigned by consumers (e.g., by the consumer 114, etc.) to their fingerprints during registration of the consumers to the authentication engine 120 for the biometric PIN services described herein.

With that said, in operation in the system 100, the consumer 114 initially registers to the authentication engine 120 in order to permit and/or facilitate authentication of the consumer 114 in future transactions based on use of a biometric PIN or biometric combination. Such registration may be done after the payment account is issued to the consumer 114 by the issuer 108, or in connection with such issuance. Specifically, the consumer 114 accesses the authentication engine 120, for example, through a network-based application (e.g., a website, mobile application, etc.) associated with the payment network 106 and/or the issuer 108. The consumer 114, then, via the network-based application, requests to register a biometric PIN or biometric combination for use with his/her payment account.

In one implementation, as part of the registration request, or enrollment, the consumer 114 provides to the authentication engine 120 his/her registry identifier for the registry 110 (as assigned by the authority responsible for the registry 110, etc.), along with an assignment of a particular desired character for each biometric desired to be used by the consumer 114 in his/her biometric PIN. The assignment may include, for example, an assignment of a number to each fingerprint to be provided by the consumer 114 in connection with the registration (e.g., to each fingerprint provided by the consumer 114 to the authentication engine 120 via a fingerprint scanner at a computing device 200 associated with the consumer 114, etc.), etc.

In particular, in the illustrated system 100, the consumer 114 may assign the number “3” to the fingerprint 116 of the index finger of his/her right hand 118, the number “8” to the fingerprint 116 of the middle finger of his/her right hand 118, the number “1” to the fingerprint 116 of the ring finger of his/her right hand 118, and the number “4” to the fingerprint 116 of the pinky finger of his/her right hand 118, where the resulting actual PIN selected by the consumer 114 may then be “8341” as associated with the fingerprints for his/her right-hand middle finger, index finger, pinky finger, and ring finger (as the biometric PIN). However, it should be appreciated that in assigning the numbers, the different fingers of the consumer's right hand 118 may not necessarily be indicated by name, but may generally be indicated by sample fingerprint data, which is captured for the consumer 114 at a suitable computing device (e.g., the fingerprint scanner at the computing device 200 associated with the consumer 114, a scanner associated with the issuer 108, a scanner associated with the merchant 102, etc.) and included in the registration request. As such, the request may include, for example, fingerprint data #1, fingerprint data #2, fingerprint data #3, and fingerprint data #4, (i.e., a sequence of fingerprint data) and also the numbers 3, 8, 1, and 4 (i.e., a sequence of numbers) associated therewith. In general, the sequence of fingerprint data will include, at least, a number of fingerprints equal to a number of characters, or unique characters, in an actual PIN for an account (with repeat characters potentially represented by the same one fingerprint, or potentially by multiple different fingerprints). So, for example, an actual PIN of “2323” may include assignment of only two fingerprints, while an actual PIN of “123456789” (i.e., a PIN comprising nine unique characters) would necessitate nine different fingerprints being assigned. That said, in at least one example, the consumer 114 may assign the same characters to multiple fingers, where, for example, the actual PIN of “2323” may be provided by fingerprints for his/her index finger (right hand), middle finger (right hand), index finger (right hand), and ring finger (left hand) (i.e., where both the middle finger on the right hand and the ring finger on the left hand are assigned the number “3,” while the index finger on the right hand is assigned the number “2,” etc.). Thus, as illustrated by these examples, the biometric PIN of “2323” may be entered by use of two fingers (i.e., by the consumer's index finger (right hand) and middle finger (right hand)) or by use of three fingers (i.e., by the consumer's index finger (right hand), middle finger (right hand), and ring finger (left hand)), etc. In at least one other embodiment, the consumer's biometric PIN may include one character, which is assigned to one finger, where the consumer 114 presents the same fingerprint multiple times to provide the biometric PIN (e.g., as above, four index finger fingerprints (right hand) to provide “2222”), etc.).

Upon receipt of the request, the authentication engine 120 is configured to provide the registry 110 with the registry identifier for the consumer 114 and the fingerprint data (e.g., enrollment fingerprint data, etc.) received from the consumer 114 for the consumer's biometric PIN. The registry 110, in turn, is configured to verify the fingerprint data and to transmit a response, to the authentication engine 120, indicating that the fingerprint data is either verified or not verified. When the fingerprint data is verified, the authentication engine 120 is configured to create a map between the fingerprint data (or corresponding finger) and the corresponding numbers (or other characters) provided (or assigned) by the consumer 114, and to store the map in the data structure 122. In so doing, the authentication engine 120 is configured to associate the map, in the data structure 122, with the consumer's payment account and with the consumer's registry identifier (e.g., based on a primary account number (PAN) for the payment account, a token for the payment account, etc.). Table 1 illustrates an exemplary map of fingerprint data and corresponding numbers assigned thereto (e.g., by the consumer 114, etc.), as may be stored in the data structure 122.

TABLE 1 Index Fingerprint 3 Middle Fingerprint 8 Ring Fingerprint 1 Pinky Fingerprint 4

It should be appreciated that the assignment of fingerprint data above is merely exemplary, as other fingerprints for other fingers, or other biometrics in general, may be assigned to characters (including numbers, letters, etc.) of biometric PINs in other embodiments.

In another implementation, and again as part of the registration request, or enrollment, the authentication engine 120 is configured to solicit a biometric combination from the consumer 114 and a PIN associated with the biometric combination. In turn, the consumer 114 responds by positioning multiple biometrics, in order, or not, at a biometric scanner associated with the consumer's computing device 200 (e.g., a fingerprint for the consumer's thumb and fingerprint for the consumer's index finger as a biometric combination, etc.). The computing device 200 is configured to then capture the biometric data from each of the multiple biometrics (e.g., enrollment biometric data, etc.). In addition, via the network-based application, for example, the computing device 200 is configured to receive the PIN to be associated with the biometric combination from the consumer 114. Once captured and received, the computing device 200 is configured to transmit the biometric data and the associated PIN to the authentication engine 120 (via network 112).

In addition, the authentication engine 120 is configured to also retrieve a unique identification (UID) number associated with the consumer 114 based on the registration request (e.g., based on a PAN provided by the consumer 114, etc.). The authentication engine 120 is configured, like above, to provide the registry 110 with the UID number (or more generally, the registry identifier for the consumer 114) and the biometric data (i.e., the biometric combination in this implementation). The registry 110, in turn, is configured to verify the biometric data and to transmit a notice or response, to the authentication engine 120, indicating that the data is either verified or not verified. When the biometric data is verified, the authentication engine 120 is configured to create a map between the biometric data and the associated PIN, whereby the biometric data is stored as reference biometric data in the data structure 122 as corresponding to, or mapped to, the associated PIN. The authentication engine 120 is further configured to provide a notification of the successful storage and/or mapping of the biometric combination to the associated PIN.

It should be appreciated that multiple biometric combinations may be enrolled for a single payment account, whereby each of a first biometric combination, a second biometric combination, a third biometric combination, etc., is associated with first reference biometric data, second reference biometric data, third reference biometric data, etc., and a first associated PIN, a second associated PIN, and a third associated PIN, etc. In this manner, the multiple biometric combinations are enrolled for the consumer 114 and/or the payment account and stored in the data structure 122, as described above.

As to some implementations in the system 100, in connection with a payment account transaction by the consumer 114 at the merchant 102, for example, the consumer 114 is invited to provide his/her biometric PIN for purposes of authentication. In response, the consumer 114 provides the fingerprint data, in the order corresponding to his/her PIN for the payment account (i.e., through presentation of a series or sequence of biometric data), to the merchant 102, via a point-of-sale (POS) terminal. The merchant 102, in turn, communicates an authorization request (including the biometric PIN, for example, the fingerprints 116 for the consumer's right-hand middle finger, index finger, pinky finger, and ring finger) for the transaction to the acquirer 104, through the network 112, along path A in FIG. 1. In this exemplary embodiment, the biometric data associated with the consumer's biometric PIN is included at data element 105 (or DE 105) of the authorization request (and, again in this particular example, is maintained therein, in encrypted form, when the authorization request is ultimately sent to the issuer 108). However, it should be appreciated that the biometric data may be included elsewhere in the authorization request in other embodiments (e.g., in other data elements, etc.), or even removed therefrom by the payment network 106 when the actual PIN is appended to the authorization request (as described more below).

In turn, the acquirer 104 communicates the authorization request (including the biometric data and biometric PIN) to the payment network 106. At this point, the authentication engine 120 is configured to intercept the authorization request and to pull out the biometric PIN. For example, the authentication engine 120 may be configured to intercept the authorization request when the PAN for the consumer's payment account, as included in the authorization request, is within a range of PANs for payment accounts available for use of biometric PIN authentication (e.g., is within a range of PANs for particular payment accounts provided by the issuer 108 and being associated with biometric PIN authentication, etc.) (e.g., as determined by the authentication engine 120, as determined by an edge device at the payment network 106, as determined by an interface processing device associated with the payment network 106 and located at the acquirer 104, combinations thereof, etc.). Alternatively, the authentication engine 120 may be configured to intercept the authentication request when the PAN for consumer's payment account, as included in the authorization request, is identified in a listing of PANs for payment accounts registered for use of biometric PIN authentication (i.e., is identified in a listing of PANs for payment accounts registered to the authentication engine 120) (e.g., as determined by the authentication engine 120, as determined by an edge device at the payment network 106, as determined by an interface processing device associated with the payment network 106 and located at the acquirer 104, combinations thereof, etc.). In any case, once the authorization request is intercepted, the authentication engine 120 is also configured to retrieve the registry identifier for the consumer 114 from the data structure 122 based on the payment account identified in the authorization request (e.g., based on the PAN for the payment account, a token for the payment account, etc.). The authentication engine 120 is configured to then send the registry identifier for the consumer 114 (as retrieved from the data structure 122) and the biometric PIN (e.g., the sequence of fingerprints, or fingerprint data, included in the authorization request; etc.) to the registry 110. In response, the registry 110 is configured to verify the fingerprint data, based on the biometric data set (stored therein) corresponding to the registry identifier for the consumer 114, and provide a notification back to the authentication engine 120 indicating whether the fingerprint data associated with the biometric PIN is verified, or not.

When the fingerprint data associated with the biometric PIN is verified, the authentication engine 120 is configured to map the fingerprint data to the characters assigned by the consumer 114, based on the map stored in the data structure 122, and to include the actual PIN in the authorization request. The authentication engine 120, and more generally, the payment network 106, is configured to then transmit and/or pass the authorization request (with the actual PIN included therein) to the issuer 108. In this exemplary embodiment, the authentication engine 120 and/or the payment network 106 may be configured to further append a biometric authentication indicator to the authorization request (e.g., at DE 48, sub-element 17, etc.) having a value of “1” or “2” (or some other suitable value or indicator) to indicate that biometric authentication has been performed. That is, the authentication engine 120 is configured to authenticate the consumer 114 based on the biometric data in the biometric PIN, and thus is able to append the indicator to the authorization request indicating that a biometric match of the consumer 114 occurred at the time of the transaction, or not.

It should be appreciated that in at least one embodiment, rather than passing the biometric data to the issuer 108, the biometric data is removed from the authorization request (or other message directed to the issuer 108) (whereby the issuer 108 relies on the actual PIN and/or the biometric authentication indicator).

The issuer 108 then verifies the actual PIN as associated with the consumer's payment account and determines if the payment account is in good standing and if there is/are sufficient credit/funds to complete the transaction, etc. The issuer 108 may further rely on the biometric authentication indicator (or actual biometric data for the consumer 114), when included in the authorization request, to approve the transaction. As such, the issuer 108 in turn responds with an authorization reply to the merchant 102, again, generally along path A, approving or declining the transaction. The merchant 102 is able to proceed as appropriate. If the transaction is approved, the transaction is later cleared and settled by and between the merchant 102 and the acquirer 104 and by and between the acquirer 104, the payment network 106, and the issuer 108 (in accordance with settlement arrangements, etc.).

As to other implementations in the system 100, in connection with a payment account transaction by the consumer 114 at the merchant 102 using the payment device 124, for example, the POS terminal (not shown) at the merchant 102 is configured to prompt the consumer 114 to enter a biometric, or more specifically, a biometric combination, at the payment device 124 associated with his/her PIN. In response, the consumer 114 applies the fingers defining the biometric combination to the biometric readers 126 and 128 (e.g., a right-hand thumb and a right-hand middle finger, etc.) and, in turn, the payment device 124 is configured to capture, at the fingerprint readers 126 and 128, first and second fingerprint data associated with the first and second fingers applied thereto. The payment device 124 is configured to then transmit the fingerprint data (for the consumer's first and second fingers) to the merchant 102 (and, specifically, the POS terminal) in association with the payment account transaction directed to the consumer's payment account associated with the payment device 124. In this exemplary embodiment, the payment device 124 is configured to provide the fingerprint data in a specific order of the combination, i.e., the fingerprint data from the biometric reader 126 may be first while the fingerprint data from the biometric reader 128 may be second, in order, thereby permitting the authentication engine 120 and the payment network 106 to distinguish between different holding patterns (or more generally, biometric combinations, etc.).

While fingers and fingerprints are employed as biometrics and biometric data in this exemplary embodiment, it should be appreciated that certain other biometrics and biometric data may be employed in other embodiments, for example, depending on the biometric readers 126 and 128 included at the payment device 124, etc. Further, in some embodiments, the merchant 102 may be associated with one or more biometric readers (e.g., as part of the POS terminal, etc.), whereby when the consumer 114 performs the transaction at the merchant 102, the merchant 102 may capture one or more biometrics from the consumer 114 via its biometric reader(s) (e.g., as part of the POS terminal, etc.) (in addition to or apart from the biometric readers 126 and 128 at the payment device 124) as part of receiving the consumer's biometric combination. In at least one embodiment, the consumer 114 may provide the biometric combination to the merchant 102 via one or more biometric readers at the merchant's POS terminal (without providing any biometrics to the payment device 124). In connection therewith, the POS terminal may include two or more separate biometric readers for receiving the consumer's biometric combination, or the POS terminal may include a single input device comprising two or more biometric readers for receiving the consumer's biometric combination.

In response to receiving the biometric combination from the consumer 114, the merchant 102 is configured to communicate an authorization request for the transaction (including the fingerprint data for the biometric combination) to the acquirer 104, through the network 112, along path A in FIG. 1. In turn, the acquirer 104 communicates the authorization request (including the fingerprint data) to the payment network 106. At this point, the authentication engine 120 is configured to intercept the authorization request and to pull out the fingerprint data (i.e., representing the biometric combination). For example, the authentication engine 120 may be configured to intercept the authorization request based on the PAN, such as, for example (and without limitation), when the PAN for the consumer's payment account, as included in the authorization request, is within a range of PANs for payment accounts available for use of biometric authentication (e.g., the PAN is within a range of PANs for particular payment accounts provided by the issuer 108 and being associated with biometric combination/PIN authentication, etc.). As a further example (and without limitation), the authentication engine 120 may be configured to intercept the authentication request when the PAN for consumer's payment account, as included in the authorization request, is identified in a listing of PANs for payment accounts registered for use of biometric combination/PIN authentication (i.e., the PAN is identified in a listing of PANs for payment accounts registered to the authentication engine 120).

In any case, once the authorization request is intercepted, the authentication engine 120 is configured to retrieve the registry identifier, or more specifically, in this example, a UID number for the consumer 114 from the data structure 122 based on the authorization request (e.g., based on the PAN for the payment account, a token for the payment account, etc.). The authentication engine 120 is configured to then transmit the UID number and fingerprint data to the registry 110. In response, the registry 110 is configured to verify the fingerprint data, based on the biometric data set (i.e., reference biometric data stored in the registry 110) corresponding to the UID number for the consumer 114, and provide a notice to the authentication engine 120 indicating whether the fingerprint data is verified, or not. The authentication engine 120 is configured to then receive the notice of verification of the fingerprint data from the biometric registry 110.

When the fingerprint data is verified, the authentication engine 120 is configured to convert and/or map the fingerprint data to the associated PIN, as stored in the data structure 122, and to append the associated PIN in the authorization request. The authentication engine 120, and more generally, the payment network 106, is configured to then transmit and/or pass the authorization request (with the associated PIN included therein) to the issuer 108. In this exemplary embodiment, the authentication engine 120 and/or the payment network 106 may be configured to further append a biometric authentication indicator to the authorization request (e.g., at DE 48, sub-element 17, etc.) having a value of “1” or “2” (or some other suitable value or indicator) to indicate that biometric authentication has been performed. That is, the authentication engine 120 is configured to authenticate the consumer 114 based on the biometric data in the biometric combination, and thus is able to append the indicator to the authorization request indicating that a biometric match of the consumer 114 occurred at the time of the transaction, or not.

Then, upon receipt of the authorization request, the issuer 108 is configured to validate the associated PIN, as a valid PIN for the payment account.

What's more, the issuer 108 may be configured to identify one or more rules, which are specific to and/or correspond to the associated PIN. The rules may include limitations of transaction amount, limitation of region (e.g., based on Postal Codes, countries, etc.), limitations of merchant (e.g., based on categories, based on merchant category code (MCC), etc.), or other suitable limitations of transactions. Example rules are provided with associated PINs in Table 2, below. Once the one or more rules is identified, the issuer 108 is configured to apply the rules to the transaction, and specifically, the authorization request, to determine, at least in part, whether to approve or decline the transaction. So, where a rule is related to a transaction amount limit of less than $100 is specific to and/or corresponds to an associated PIN, and the authorization request includes the associated PIN and a transaction amount of $140, the issuer 108 is configured to determine the transaction fails to satisfy the rule specific to and/or corresponding to the associated PIN and to decline the transaction. That said, when the transaction satisfies the one or more rules specific to and/or corresponding to the associated PIN, the issuer 108 is configured to approve the transaction, subject to one or more other aspects of the issuer's approval process for the transaction (e.g., good standing, sufficient fund, etc.).

It should be appreciated that in at least one embodiment, rather than passing the biometric data to the issuer 108, the biometric data may be removed from the authorization request (or other message directed to the issuer 108), whereby the issuer 108 relies on the associated PIN and/or the biometric authentication indicator appended to the authorization request without receiving actual biometric data for the consumer 114).

While only one consumer 114, one merchant 102, one acquirer 104, one issuer 108, and one registry 110 are shown in the system 100 in FIG. 1 (for ease of illustration), it should be appreciated that a different number of these entities, parts and/or persons may be included in the system 100, or may be included as a part of systems in other embodiments, consistent with the present disclosure. Likewise, it should be understood that multiple consumers may be associated with implementation of the features described herein, despite only consumer 114 being illustrated in FIG. 1.

FIG. 2 illustrates an exemplary computing device 200 that may be used in the system 100. The computing device 200 may include, for example, one or more servers, workstations, personal computers, laptops, tablets, smartphones, PDAs, terminals, POS terminals, etc. In addition, the computing device 200 may include a single computing device, or it may include multiple computing devices located in close proximity or distributed over a geographic region, so long as the computing devices are specifically configured to function as described herein. In the system 100 of FIG. 1, each of the entities, i.e., the merchant 102, the acquirer 104, the payment network 106, the issuer 108, and the registry 110 are illustrated as including, or being implemented in, a computing device 200, coupled to (and in communication with) the network 112. In addition, as shown in FIG. 1, the consumer 114 is associated with a computing device 200, which may be coupled to (and in communication with) the network 112. Further, the payment device 124 associated with the consumer 114 may be considered a computing device consistent with computing device 200. That said, the system 100, or parts thereof, should not be understood to be limited to the computing device 200, as other computing devices may be employed in other system embodiments. In addition, different components and/or arrangements of components may be used in other computing devices.

Referring to FIG. 2, the exemplary computing device 200 includes at least one processor 202 and a memory 204 coupled to (and in communication with) the processor 202. The processor 202 may include one or more processing units (e.g., in a multi-core configuration, etc.). For example, the processor 202 may include, without limitation, a central processing unit (CPU), a microcontroller, a reduced instruction set computer (RISC) processor, an application specific integrated circuit (ASIC), a programmable logic device (PLD), a gate array, and/or any other circuit or processor capable of the functions described herein (e.g., an EMV card-integrated circuit, chip, processor, etc.; etc.).

The memory 204, as described herein, is one or more devices that permit data, instructions, etc., to be stored therein and retrieved therefrom. The memory 204 may include one or more computer-readable storage media, such as, without limitation, dynamic random access memory (DRAM), static random access memory (SRAM), read only memory (ROM), erasable programmable read only memory (EPROM), solid state devices, flash drives, CD-ROMs, thumb drives, floppy disks, tapes, hard disks, and/or any other type of volatile or nonvolatile physical or tangible computer-readable storage media. The memory 204 may be configured to store, without limitation, biometric-character maps, fingerprint data, authorization requests/replies, biometric PINs, biometric combinations, actual PINs, and/or other types of data (and/or data structures) suitable for use as described herein. Furthermore, in various embodiments, computer-executable instructions may be stored in the memory 204 for execution by the processor 202 to cause the processor 202 to perform one or more of the functions described herein, such that the memory 204 is a physical, tangible, and non-transitory computer readable storage media. Such instructions often improve the efficiencies and/or performance of the processor 202 that is performing one or more of the various operations herein. It should be appreciated that the memory 204 may include a variety of different memories, each implemented in one or more of the operations or processes described herein.

In the exemplary embodiment, the computing device 200 includes a presentation unit 206 that is coupled to (and that is in communication with) the processor 202 (however, it should be appreciated that the computing device 200 could include output devices other than the presentation unit 206, etc.). The presentation unit 206 outputs information (e.g., requests to register biometric PINs or biometric combinations, etc.), either visually or audibly to the consumer 114 at the computing device 200, for example. Various interfaces (e.g., as defined by network-based applications, etc.) may be displayed at the computing device 200 (to a user of the given computing device 200), and in particular at presentation unit 206, to display such information. The presentation unit 206 may include, without limitation, a liquid crystal display (LCD), a light-emitting diode (LED) display, an organic LED (OLED) display, an “electronic ink” display, speakers, etc. In some embodiments, presentation unit 206 includes multiple devices.

The computing device 200 also includes an input device 208 that receives inputs from the user (i.e., user inputs) such as, for example, request to assign biometric PINs, requests to assign biometric combinations, biometric inputs, etc., or inputs from other computing devices. The input device 208 is coupled to (and is in communication with) the processor 202 and may include, for example, a keyboard, a pointing device, a mouse, a stylus, a biometric reader (e.g., a fingerprint reader, a retina scanner, a voice recognition reader, etc.), multiple biometric readers integrated together into a single input device, a touch sensitive panel (e.g., a touch pad or a touch screen, etc.), another computing device, and/or an audio input device. Further, in various exemplary embodiments, a touch screen, such as that included in a tablet, a smartphone, or similar device, behaves as both a presentation unit and an input device.

In addition, the illustrated computing device 200 also includes a network interface 210 coupled to (and in communication with) the processor 202 and the memory 204. The network interface 210 may include, without limitation, a wired network adapter, a wireless network adapter (e.g., an NFC adapter, a Bluetooth™ adapter, etc.), a mobile network adapter, or other device capable of communicating to/with one or more different networks, including the network 112. Further, in some exemplary embodiments, the computing device 200 includes the processor 202 and one or more network interfaces incorporated into or with the processor 202.

FIG. 3 illustrates an exemplary method 300 for use in registering a biometric PIN for a consumer and/or payment account. The exemplary method 300 is described with reference to the authentication engine 120, the registry 110 and the consumer 114 of the system 100, and with additional reference to the computing device 200. However, the methods herein should not be understood to be limited to the exemplary system 100 or the exemplary computing device 200, and likewise, the systems and the computing devices herein should not be understood to be limited to the exemplary method 300.

In the method 300, the consumer 114 accesses the authentication engine 120, at 302. In particular, the consumer 114 may log-in to a network-based application associated with the authentication engine 120, directly (or indirectly, when the application is more broadly provided by the payment network 106). Then, upon access, the authentication engine 120 offers an option for the consumer 114 to register for a biometric PIN, at 304. The offer may be pushed to the consumer 114, through the network-based application, or may be presented in connection with a selection or other input from the consumer 114 to register for the biometric PIN. In response, at 306, the consumer 114 requests to register for the biometric PIN. In particular, the consumer 114 provides his/her registry identifier, which is associated with the registry 110 and with the biometric data set for the consumer 114 at the registry 110. In addition, the consumer 114 provides fingerprint data, via the computing device 200 and, specifically, via a fingerprint scanner input device 208 associated with the computing device 200, etc.

In connection therewith, the consumer 114 also provides an assignment for each finger/fingerprint provided to the authentication engine 120, or for multiple fingers/fingerprints, to desired characters, such as, for example, numbers, letters, etc. In the above example, the consumer 114 indicates that the index finger of the right hand is to be assigned to the number “3,” the middle finger on the right hand 118 is to be assigned to the number “8,” the ring finger is to be assigned to the number “1,” and the pinky finger is to be assigned to the number “4,” whereby the actual PIN desired by the consumer 114 is “8341.” Thus, the request provided by the consumer 114 to register for the biometric PIN includes the consumer's registry identifier, the scanned fingerprint data for the consumer 114, and the assignment of characters to the scanned fingerprint data, all of which is transmitted (as part of the request), via the network-based application, from the consumer 114 (i.e., via the consumer's computing device 200) to the authentication engine 120.

Then, upon receipt of the request from the consumer 114, the authentication engine 120 sends a request for verification of the consumer's fingerprint data (as included in the request), to the registry 110, at 308. The request includes the received fingerprint data (e.g., the actual fingerprint data for each of the consumer's fingers, or a series of fingerprints for the consumer 114, etc.) and the consumer's registry identifier.

The registry 110, in turn, verifies the fingerprint data for the consumer 114 based on the registry identifier, at 310. In particular, the registry 110 retrieves the biometric data set corresponding to the registry identifier for the consumer 114 (as previously provided to the registry 110 by the consumer 114), and compares the retrieved biometric data set to the fingerprint data received from the authentication engine 120. The registry 110 then notifies, at 312, the authentication engine 120 that the fingerprint data is either verified or not verified, based on the comparison (e.g., based on whether there is a match between the fingerprint set and the received fingerprint data (i.e., within conventionally accepted standards and/or requirements, etc.), etc.).

When the fingerprint data is verified, the authentication engine 120 creates, at 314, a map for the fingerprint data and the assigned characters therefore and stores the map in the data structure 122. As described, Table 1 again illustrates an example of a map, which may be created for the consumer 114 and stored in the data structure 122, by the authentication engine 120, based on the exemplary assignments above. In addition, the authentication engine 120 further stores the registry identifier for the consumer 114 (as provided by the consumer 114 in the registration request) in the data structure 122, in association with the payment account of the consumer 114, such that, as described below, it may be subsequently retrieved for use in authenticating the consumer 114 using his/her biometric PIN in connection with a transaction directed to the consumer's payment account (e.g., based on the PAN for the consumer's payment account as included in an authorization request for the transaction, etc.). Thereafter, the authentication engine 120 notifies the consumer 114 of the successful creation of the biometric PIN, at 316, via the computing device 200 and/or the network-based application, etc.

Finally in the method 300, the authentication engine 120 identifies the consumer's payment account as enrolled with the authentication engine 120, whereby subsequent transactions involving the consumer's payment account will be flagged and directed to (and/or intercepted by) the authentication engine 120. In particular, for example (and as generally described above in the system 100), the PAN for the consumer's payment account may be appended to a list of PANs registered to the authentication engine 120. Thereafter, when an authorization request includes the PAN, as included in the registered list, the authentication engine 120 and/or payment network 106 intercepts the transaction, as described below in method 400. In one or more other embodiments, the consumer 114 may register with the authentication engine 120 in connection with applying for the payment account, whereby the PAN then assigned to the consumer 114 for the payment account is included in a range of PANs registered to the authentication engine 120. As a result, upon receipt of an authorization request for a transaction involving the consumer's payment account, the payment network 106 and/or authentication engine 120 may determine if the PAN is within the registered range in order to determine whether to intercept the authorization request.

FIG. 4 illustrates an exemplary method 400 for use in authenticating a consumer, in connection with a transaction by the consumer at a merchant, based on a biometric PIN assigned to the consumer (e.g., in the manner described in method 300, etc.). The exemplary method 400 is described with reference to the authentication engine 120, the merchant 102, the payment network 106, the issuer 108, and the registry 110 in the system 100, and with additional reference to the computing device 200. However, again, the methods herein should not be understood to be limited to the exemplary system 100 or the exemplary computing device 200, and likewise, the systems and the computing devices herein should not be understood to be limited to the exemplary method 400.

In this exemplary embodiment, initially, the consumer 114 attempts to make a purchase at a physical storefront of the merchant 102. In connection with the purchase attempt, the consumer 114 presents, at 402, a payment device associated with his/her payment account to the merchant 102, whereupon the payment device is provided to and/or read by the POS terminal (as shown in FIG. 4) at the merchant 102 (e.g., a payment account credential (e.g., the PAN, or a token, etc., for the payment account) is read from the payment device, etc.). The merchant 102 then, via the POS terminal, prompts, at 404, the consumer 114 to enter his/her biometric PIN for the payment account. In response, the consumer 114 provides the biometric PIN, at 406. In particular, and consistent with the above example in method 300, the actual PIN of “8341” may be associated with the consumer's payment account. In connection therewith, the consumer 114 registered his/her fingers to specific characters, or numbers (i.e., 8 is assigned to the middle finger (on the right hand), 3 to the index finger, 4 to the pinky finger and 1 to the ring finger, as indicated in Table 1) when requesting the biometric PIN. As such, to provide the biometric PIN to the merchant 102 as part of authenticating the user, in this example, the consumer 114 successively presents his/her right-hand middle finger to be scanned, by the POS terminal, then his/her right-hand index finger, then his/her right-hand pinky finger, and finally his/her right-hand ring finger (i.e., as a series or sequence of fingerprints). The merchant 102 receives the fingerprint data (broadly, receives the consumer's biometric PIN) from the consumer 114 for the four fingerprints, in order (as a sequence), and generates and sends an authorization request (including the biometric PIN), at 408, along to the acquirer 104. As indicated above in the system 100, the authorization request includes the fingerprint data received from the consumer 114, and may further include a transaction amount for the attempted purchase, a time, a date, an acquirer ID, the PAN associated with the consumer's payment account, an expiration date for the consumer's payment device, and/or other transaction data necessary and/or desired to approve or decline the transaction (all of which is collectively referred to as transaction data included in the authorization request).

Alternatively, as indicated by the dotted box in FIG. 4, the consumer 114 may attempt to purchase a product from the merchant 102, at a virtual storefront associated with the merchant 102. In connection with the attempt, the consumer 114 provides to the merchant 102, at 410, a payment account credential associated with the consumer's payment device and/or the payment account (e.g., manually or automatically (e.g., by scanning, etc.), etc.). The merchant 102, in response, prompts the consumer 114 for the biometric PIN, at 412. The consumer 114, via the computing device 200, provides the biometric PIN, at 414, consistent with the description above. Whereupon, the computing device 200 associated with the consumer 114 captures the sequence of four fingerprints (i.e. for the middle finger, index finger, pinky finger, and ring finger, in succession) and sends the fingerprint data to the merchant 102, at 416. In turn, as above, the merchant 102 receives the fingerprint data for the biometric PIN, and generates and sends an authorization request for the transaction (including the fingerprint data and other transaction data as described above), at 408, along to the acquirer 104.

Regardless of the manner of interaction between the consumer 114 and the merchant 102, in this exemplary embodiment, the acquirer 104 forwards the authorization request to the issuer 108, via the payment network 106, at 418. In so doing, the payment network 106 (and/or authentication engine 120 via the payment network 106) intercepts the authorization request (in the manner described above in the system 100 and in the method 300) and retrieves, at 420, the consumer's registry identifier, from the data structure 122, based on association of the payment account identified in the authorization request therewith (e.g., based on the PAN for the consumer's payment account, a token for the consumer's payment account, etc.). Then, the authentication engine 120 sends a request for verification of the fingerprint data included in the biometric PIN (as retrieved from the authorization request), at 422, to the registry 110. The request includes at least the retrieved registry identifier for the consumer 114 and the fingerprint data for the consumer's biometric PIN. In response, the registry 110 verifies, at 424, the four fingerprints associated with the consumer's biometric PIN, based on reference fingerprints stored therein. Specifically, the registry 110 identifies and retrieves the biometric data set including the fingerprint data (or other biometrics) for the consumer 114 based on the registry identifier. Once retrieved, the registry 110 employs conventional methods to determine if the fingerprint data received from the authentication engine 120 matches the reference fingerprint data at the registry 110 (i.e., exactly, or within conventionally accepted standards and/or requirements, etc.). Once verified, or not, the registry 110 notifies, at 426, the authentication engine 120 that the fingerprint data is verified or not verified.

If one or more of the fingerprints provided with the biometric PIN do not match the reference fingerprint data at the registry (such that the registry notifies the authentication engine 120 that the fingerprint data is not verified), the authentication engine 120 will in turn determine that the consumer 114 is not verified. Thereafter, the authentication engine 120 and/or the payment network 106 will decline the transaction via an appropriate response to the merchant 102 (e.g., at operation 436, below, etc.). Alternatively, in one or more other embodiments, only the fingerprint data that is verified by the registry 110 may be converted to the actual PIN (in the manner described below), with extraneous biometric data ignored, such that the actual PIN may then be partial or incorrect. In this latter manner, the issuer 108 then determines whether to approve or decline the transaction based on the actual PIN, whether correct or partial or incorrect (with the authentication engine 120 and/or payment network 106 merely acting to convert, as described below, the verified information and transmit it to the issuer 108).

However, when the fingerprints provided with the biometric PIN are verified, the authentication engine 120 converts, at 428, the fingerprints to characters, based on the map for the consumer 114 and/or payment account stored in the data structure 122. Here, consistent with Table 1 and the example above, the authentication engine 120 converts the fingerprint for the consumer's right-hand middle finger to an “8,” the fingerprint for the consumer's right-hand index finger to a “3,” the fingerprint for the consumer's right-hand pinky finger to a “4,” and the fingerprint for the consumer's right-hand ring finger to a “1.” The conversion, by the authentication engine 120, results in the actual PIN of 8341. The authentication engine 120 then appends the actual PIN to the authorization request and sends, at 430, the authorization request along to the issuer 108 with the actual PIN included therein (e.g., in place of the biometric data, or elsewhere in the authorization request along with the biometric data or along with a biometric authentication indicator (as described above in the system 100), etc.).

In response, the issuer 108 checks, evaluates, etc., the payment account associated with the authorization request (e.g., as identified by the PAN, a token, etc.) to approve or decline the transaction, at 432, based on, at least in part, the actual PIN included in the authorization request matching a reference PIN associated with the consumer's payment account. The transaction may further be approved or declined based on the standing of the payment account, the funds available from the payment account, business rules (e.g., fraud prevention rules, etc.), etc.

Then, the issuer 108 sends the approve or decline response, i.e. generates an authorization reply, at 434, to the payment network 106, which then forwards, at 436, the authorization reply to the merchant 102. As is conventional, then, the merchant 102 generates a receipt for the transaction, at 438, and provides the receipt to the consumer 114, at 440 (e.g., physically, electronically, etc.).

FIG. 5 illustrates an exemplary method 500 for use in enrolling a biometric combination for subsequently authenticating a consumer to a payment account and/or for establishing at least one rule associated with the biometric combination and payment account. The exemplary method 500 is described with reference to the consumer 114, the authentication engine 120, and the registry 110 in the system 100, and with additional reference to the computing device 200. However, again, the methods herein should not be understood to be limited to the exemplary system 100 or the exemplary computing device 200, and likewise, the systems and the computing devices herein should not be understood to be limited to the exemplary method 500.

Initially, as described above, the issuer 108 has issued a payment account to the consumer 114 along with the payment device 124. As shown in FIG. 1, the payment device 124 includes the two biometric readers 126 and 128, which provide the opportunity for the consumer 114 to place any of several combinations of biometrics on the two readers 126 and 128. For example, the consumer 114 may apply a right-hand index finger and a right-hand thumb to the payment device 124, whereby the payment device 124 may capture a fingerprint from each of the right-hand index finger and thumb. As should be appreciated, any combination of fingers or, more broadly, biometrics, may be provided to one or more of the biometric readers 126 and 128 of the payment device 124 or to other biometric readers (including biometric readers other than or in addition to fingerprint readers, etc.) in other payment devices to provide different biometric combinations. The different biometric combinations may then be associated with particular rules, or not, which are restrictive and/or linked to use of the consumer's payment account. In connection therewith, method 500 is provided to enroll the biometric combinations and/or rules.

Here, the consumer 114 desires and/or needs to enroll multiple different biometric combinations and multiple different rules as provided in Table 2 below. As shown, for example, the first biometric combination includes the right index finger and the right thumb (in order), which is associated with a PIN 1234 and may be used for purchases of less than $350 and within the Postal Code 12345. And, the fourth biometric combination includes the left thumb and right ring finger (i.e., a finger on different hands, which, generally, would be more difficult to guess and/or find, etc.), which is associated with a PIN 9257 and includes no restriction (presumably because of the more complicated biometric combination). What's more, the biometric combinations may be ordered combinations, whereby, as shown, the right middle finger and right thumb correspond to one PIN, while the right thumb and the right middle finger (both ordered combinations) correspond to a different PIN. It should be appreciated that the order of the biometrics within the biometric combination may be specific, such that one biometric is applied to the biometric reader 126, while another is applied to the biometric reader 128. That said, the order and/or association of the biometrics with the specific biometric readers 126 and 128 may be omitted in other method embodiments. Notwithstanding the examples below, it should be appreciated that any biometric combination (including biometrics other than fingerprints) may be enrolled, and associated, or not, with one or more rules.

TABLE 2 Biometric Combination PIN Rule Right index finger; 1234 Purchase $0 to $350; within Postal right thumb Code 12345 Right middle finger; 4321 Purchase $351 to $1000; within Postal right thumb Code 12345 Right thumb; 4567 Purchase at food and/or apparel right middle finger merchant Left thumb; 9275 No restriction right ring finger

In view of the above, different biometric combinations therefore may be associated with the different PINs, whereby the consumer 114 is expected to remember the biometric combinations (e.g., holding patterns, etc.) rather than the individual PIN numbers associated with the restrictions.

With that said, turning to the method 500, to enroll the above biometric combination(s), the consumer 114, at the computing device 200, accesses, at 502, the authentication engine 120, for example, via a network-based application (e.g., a mobile app, a website, etc.) specific to the authentication engine 120 (e.g., as provided by the payment network 106, the issuer 108, etc.). As part of the access and/or separately, the consumer 114 requests to enroll a biometric combination with the authentication engine 120. In response, at 504, the authentication engine 120 solicits the biometric combination from the consumer 114. The authentication engine 120 may solicit the biometrics of the biometric combination to be provided one at a time, at a biometric scanner input device 208 of the computing device 200 (associated with the consumer 114). Or, the authentication engine 120 may, optionally, solicit the biometrics in a manner that indicates which of biometric readers 126 and 128 the biometrics will be associated with (e.g., “Please provide a biometric to be associated with the front side biometric reader 126 of the payment device 124,” or “Please provide a biometric to be associated with the back side biometric reader 128 of the payment device 124,” etc.). In embodiments in which the order of the biometrics is not recognized, such instructions related to an order of enrollment of the biometric combination may be omitted.

The authentication engine 120 may further request an associated PIN and/or rule, through one or more interfaces, for the biometric combination. For example, the authentication engine 120 may request that the consumer 114 enter and/or select a PIN (e.g., which may include a new PIN, or a PIN already registered with the issuer 108, etc.) and, if applicable, the rules to be associated with the PIN/biometric combination. It should be appreciated that where the PIN already exists and/or is enrolled with the issuer 108, the rule(s) may also already be enrolled with the issuer 108 and associated with the PIN. In such embodiments, the enrollment in method 500 may be limited to enrolling the biometric combination for association with the PIN.

In response to the prompt by the authentication engine 120, the consumer 114 provides the desired fingerprint data, at 506. Specifically, the consumer 114 provides fingerprint data for a right index finger to the computing device 200, which is captured by the biometric scanner input device 208 of the computing device 200, and fingerprint data for a right thumb to the computing device 200, which is captured by the biometric scanner input device 208 of the computing device 200. In addition, the consumer 114 provides the associated PIN (e.g., 1234, etc.) to the computing device 200 (e.g., via the network-based application, etc.). The computing device 200 then transmits, at 508, the captured fingerprint data (i.e., representative of the right index finger and the right thumb in this example) along with the PIN number (i.e., 1234 in this example), and one or more identifiers associated with the consumer 114 (e.g., a UID number, a PAN, etc.) to the authentication engine 120 (e.g., via the network-based application, etc.).

Upon receipt, the authentication engine 120 transmits, at 510, the fingerprint data (broadly, the biometric data) and the identifier associated with the consumer 114 to the biometric registry 110. The biometric registry 110, in turn, retrieves one or more biometric references for the consumer 114, at 512, based on the consumer's identifier, and verifies, at 514, the received fingerprint data to the retrieved biometric references for the consumer 114, etc. When the fingerprint data is verified, by the biometric registry 110, the biometric registry 110 transmits, at 516, a verification notice to the authentication engine 120. And, the authentication engine 120 then stores, at 518, the received fingerprint data for the biometric combination in memory (e.g., the memory 204, etc.), in the data structure 122, as reference biometric data in association with the PIN provided by the consumer 114. In this manner, the authentication engine 120 is able to later identify the consumer's PIN when subsequently received biometric data (as part of a biometric combination provided by the consumer 114) is consistent with the reference biometric data stored in association with the PIN for the consumer 114.

In addition, optionally, if one or more rules is provided by the consumer 114 to the authentication engine 120 along with the biometric combination and the PIN, the authentication engine 120 may further store the one or more rules in association with the biometric combination (e.g., the biometric combination applies to purchases of $0 to $350 and within the Postal code 12345, etc.) (at operation 518, following verification by the registry 110 of the fingerprint data associated with the biometric combination). In this way, the authentication engine 120 and/or the payment network 106 may apply the rules in connection with a transaction by the consumer 114 (e.g., at its/their own initiative, as a stand-in service for the issuer 108, etc.). In addition, the authentication engine 120 may transmit the one or more rules to the issuer 108, along with and/or in association with the PIN, whereby the issuer 108 may then apply the rules in connection with approving or declining a transaction to the consumer's payment account.

Thereafter, the authentication engine 120 transmits, at 520, a notification to the consumer 114 that indicates the biometric combination (and PIN and one or more rules, as application) is/are enrolled for the payment account.

It should be appreciated that, in the method 500, the consumer 114, at the network-based application (accessed at 502) may repeat the operations 502-520, or parts thereof, for each of the additional biometric combinations desired to be registered (e.g., for each of the additional biometric combinations included in Table 2, etc.). As such, each of the desired biometric combinations may be enrolled to the authentication engine 120, whereby the consumer 114 may use different biometric combinations to authenticate himself/herself at the payment device 124 for different transactions, based on the applicable rules associated therewith (but, generally, without having to remember the specific PIN associated with the different rules).

FIG. 6 illustrates an exemplary method 600 for use in authenticating a consumer, in connection with a transaction by the consumer at a merchant, based on a biometric combination applied to the consumer's payment device and/or the POS terminal. The exemplary method 600 is described with reference to the merchant 102, the payment network 106, the issuer 108, the biometric registry 110 and the authentication engine 120 in the system 100, and with additional reference to the computing device 200. However, again, the methods herein should not be understood to be limited to the exemplary system 100 or the exemplary computing device 200, and likewise, the systems and the computing devices herein should not be understood to be limited to the exemplary method 600.

In this exemplary embodiment, the consumer 114 attempts to make a purchase at the merchant 102 (e.g., at a physical storefront, etc.), where the merchant 102 is within the Postal Code 12345 and the purchase amount is $374.56. In connection therewith, the payment device 124 is presented by the consumer 114, at 602, to POS terminal 603 (as shown in FIG. 6) at the merchant 102. As part thereof, the payment device 124 comes into contact with and/or within the vicinity of the POS terminal, whereupon the POS terminal may prompt, at 604, the consumer 114 to hold the payment device 124 according to the biometric combination (utilizing the biometric readers 126 and 128). Whether prompted in this manner, or not, the consumer 114 holds the payment device 124, at 606, such that the consumer's right middle finger is positioned on the biometric reader 126 and the consumer's right thumb is positioned one the biometric reader 128.

Thereafter, the payment device 124, and specifically, the biometric readers 126 and 128, capture fingerprint data associated with the consumer's right middle finger and the consumer's right thumb, respectively, at 608, and the payment device 124 provides the fingerprint data captured from the biometric readers 126 and 128 to the merchant 102, at 610 (e.g., to the POS terminal 603, etc.). In turn, the merchant 102 compiles and transmits an authorization request for the transaction (including the received fingerprint data, the postal code for the merchant 102, and other transaction data as described above), at 612, along to the acquirer 104.

The acquirer 104 forwards the authorization request to the issuer 108, via the payment network 106, at 614. In so doing, the payment network 106 (and/or authentication engine 120 via the payment network 106) intercepts the authorization request (in the manner described above in the system 100 and in the method 300) and retrieves, at 616, the consumer's UID number (or other suitable identifier), from the data structure 122, based on association of the payment account identified in the authorization request. Then, the authentication engine 120 transmits a request for verification of the fingerprint data for the biometric combination (as retrieved from the authorization request) and the UID number, at 618, to the biometric registry 110. The request, in some embodiments, may include further information for use by the registry 110 in verifying the fingerprint data, or not.

The biometric registry 110 verifies, at 620, the right middle finger and the right thumb, based on reference fingerprints stored therein. Specifically, the registry 110 identifies and retrieves the biometric data set including the fingerprint data (or other biometrics) for the consumer 114 based on the registry identifier and/or UID number for the consumer 114. Once retrieved, the registry 110 may employ conventional methods to determine if the fingerprint data received from the authentication engine 120 matches the reference fingerprint data at the registry 110 (i.e., exactly, or within conventionally accepted standards and/or requirements, etc.). Once verified, or not, the registry 110 notifies, at 622, the authentication engine 120 that the fingerprint data is verified or not verified.

When the fingerprints provided with the biometric combination are verified, the authentication engine 120 converts, at 624, the fingerprint data/biometric combination to the associated PIN stored in the data structure 122. In this embodiment, and consistent with Table 2, the authentication engine 120 converts the two fingerprints (i.e., one for the right middle finger and one for the right thumb) to the four-digit PIN 4321. That is, the authentication engine 120 in this embodiment converts both of the fingerprints, in combination, to the specific PIN, as opposed to converting each fingerprint, on its own, to a specific, individual digit. As such, in this embodiment, the authentication engine 120 does not convert the one fingerprint to one digit, and then the other fingerprint to a second digit, to reach the PIN. Rather, it is the biometric combination of the two fingerprints, being present in combination, which results in the specific PIN. The authentication engine 120 then appends the associated PIN to the authorization request, at 626, and transmits the authorization request, at 628, along to the issuer 108 with the associated PIN included therein (e.g., in place of the fingerprint data, or elsewhere in the authorization request along with the fingerprint data or along with a biometric authentication indicator (as described above in the system 100), etc.).

In response, the issuer 108 initially checks, at 630, the associated PIN to determine whether the associated PIN matches a PIN for the payment account and/or payment device 124 in memory (e.g., the memory 204, etc.). When a match is found, the issuer 108 retrieves and applies, at 632, any rules associated with the PIN, which, in this example, include a transaction amount limitation of between $350 and $1000 and a transaction location limitation within a Postal Code 12345. And, in this example, as explained above, the transaction amount is within the range of the first rule, and the merchant 102 is also within the postal code indicated by the second rule. As such, the issuer 108 will approve the transaction (often, subject to any other checks, evaluations, etc.). For example, the transaction may further be approved or declined based on the standing of the payment account, the funds available from the payment account, business rules (e.g., fraud prevention rules, etc.), etc.

Then, the issuer 108 compiles and transmits, at 634, the approve or decline response, i.e., an authorization reply, to the payment network 106, which then forwards, at 636, the authorization reply to the merchant 102. As is conventional, then, the merchant 102 generates a receipt for the transaction and provides the receipt to the consumer 114.

It should be appreciated that if, in this example, the consumer 114 had applied the right index finger and right thumb to the biometric readers 126 and 128, initially, the authentication engine 120 would have mapped the biometric combination to the PIN 1234. Then, when the issuer 108 received the authorization request with the PIN 1234, it would have retrieved and applied, at 630, the rules associated with the PIN 1234 (i.e., $0 to $350 and within Postal Code 12345, etc.), and as such, the issuer 108 would have declined the transaction for violating the first one of the rules associated with the PIN (i.e., because the amount of the example transaction is larger than $350). Thereafter, an authorization reply would have been generated and transmitted, by the issuer 108, to indicate the decline to the merchant 102 and/or the consumer 114, where the consumer may have been given the opportunity to provide a different biometric combination for authentication (i.e., a correct biometric combination).

In view of above, the systems and methods herein permit a consumer to use either a biometric PIN or a biometric combination as a mechanism to authenticate himself/herself, in connection with a payment account transaction. The biometric PIN or biometric combination provides the security of biometric authentication, but goes further, by utilizing multiple biometrics of the consumer to define the biometric PIN or biometric combination that may be mapped to an actual or associated PIN for the consumer's payment account (which is known to an issuer of the consumer's payment account). It is possible, then, in some embodiments, that biometric authentication may be employed by a payment network in a payment account transaction, without knowing/using the actual PIN of the payment account involved in the transaction (such that the actual PIN remains secret to the consumer and the issuer) and while making involvement of biometrics in connection with such authentication transparent to the issuer (such that the issuer is not aware of the consumer's biometrics and need not examine the consumer's biometrics). As such, with minimal impact, if any, to the issuer, the payment network affords a substantial improvement to authentication of the consumer for his/her payment account associated with the issuer.

In addition, it should be appreciated that providing multiple biometric PINs and/or biometric combinations, multiple different rules may be applied to different transactions, depending on which biometric PIN or biometric combination is provided for the transaction. What's more, the restrictions offered by the biometric PINs and/or biometric combinations provide increased security as fraudsters would not only need to present biometrics associated with authorized users, but would also have to know the sequence and/or combination appropriate for the given restrictions on the payment accounts. Further, the systems and methods herein permit multiple different PINs to be associated with different rules, to provide enhanced transaction security, without tasking the consumers with remembering different numerical PINs.

Again, and as previously described, it should be appreciated that the functions described herein, in some embodiments, may be described in computer executable instructions stored on a computer-readable media, and executable by one or more processors. The computer readable media is a non-transitory computer-readable storage medium. By way of example, and not limitation, such computer-readable media can include RAM, ROM, EEPROM, CD-ROM or other optical disk storage, magnetic disk storage or other magnetic storage devices, or any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer. Combinations of the above should also be included within the scope of computer-readable media.

It should also be appreciated that one or more aspects of the present disclosure transform a general-purpose computing device into a special-purpose computing device when configured to perform the functions, methods, and/or processes described herein.

As will be appreciated based on the foregoing specification, the above-described embodiments of the disclosure may be implemented using computer programming or engineering techniques including computer software, firmware, hardware or any combination or subset thereof, wherein the technical effect may be achieved by performing at least one of the following operations: (a) intercepting, by computing device, an authorization request associated with a transaction to a payment account, the authorization request including a series of biometric data associated with a consumer; (b) verifying the series of biometric data; (c) converting, by the computing device, the series of biometric data to an actual person identification number (PIN), the actual PIN including a series of characters; (d) appending, by the computing device, the actual PIN to the authorization request; and (e) transmitting the authorization request to an issuer associated with the payment account, thereby permitting the issuer to authenticate the consumer based on the actual PIN.

As will also be appreciated based on the foregoing specification, the above-described embodiments of the disclosure may be implemented using computer programming or engineering techniques including computer software, firmware, hardware or any combination or subset thereof, wherein the technical effect may be achieved by performing at least one of the following operations: (a) receiving, by a computing device, an authorization request for a network transaction by a user (e.g., a payment account transaction to a payment account, etc.), the authorization request including biometric data representing at least a first biometric of the user and a second biometric of the user; (b) transmitting the biometric data to a biometric registry, thereby permitting the biometric registry to verify the biometrics data; (c) converting, by the computing device, the biometric data to a personal identification number (PIN) specific to the biometric data, when the biometric data is verified; (d) appending, by the computing device, the PIN to the authorization request; (e) transmitting the authorization request to an issuer of the payment account, thereby permitting the issuer to approve or decline the transaction based, at least in part, on the PIN; and (f) retrieving, from a data structure associated with the computing device, a unique identification (UID) number associated with the user.

Exemplary embodiments are provided so that this disclosure will be thorough, and will fully convey the scope to those who are skilled in the art. Numerous specific details are set forth such as examples of specific components, devices, and methods, to provide a thorough understanding of embodiments of the present disclosure. It will be apparent to those skilled in the art that specific details need not be employed, that example embodiments may be embodied in many different forms and that neither should be construed to limit the scope of the disclosure. In some example embodiments, well-known processes, well-known device structures, and well-known technologies are not described in detail.

The terminology used herein is for the purpose of describing particular exemplary embodiments only and is not intended to be limiting. As used herein, the singular forms “a,” “an,” and “the” may be intended to include the plural forms as well, unless the context clearly indicates otherwise. The terms “comprises,” “comprising,” “including,” and “having,” are inclusive and therefore specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof. The method steps, processes, and operations described herein are not to be construed as necessarily requiring their performance in the particular order discussed or illustrated, unless specifically identified as an order of performance. It is also to be understood that additional or alternative steps may be employed.

When a feature is referred to as being “on,” “engaged to,” “connected to,” “coupled to,” “associated with,” “included with,” or “in communication with” another feature, it may be directly on, engaged, connected, coupled, associated, included, or in communication to or with the other feature, or intervening features may be present. As used herein, the term “and/or” includes any and all combinations of one or more of the associated listed items.

In addition, as used herein, the term “product” may include a good and/or a service.

Although the terms first, second, third, etc. may be used herein to describe various features, these features should not be limited by these terms. These terms may be only used to distinguish one feature from another. Terms such as “first,” “second,” and other numerical terms when used herein do not imply a sequence or order unless clearly indicated by the context. Thus, a first feature discussed herein could be termed a second feature without departing from the teachings of the example embodiments.

None of the elements recited in the claims are intended to be a means-plus-function element within the meaning of 35 U.S.C. § 112(f) unless an element is expressly recited using the phrase “means for,” or in the case of a method claim using the phrases “operation for” or “step for.”

The foregoing description of exemplary embodiments has been provided for purposes of illustration and description. It is not intended to be exhaustive or to limit the disclosure. Individual elements or features of a particular embodiment are generally not limited to that particular embodiment, but, where applicable, are interchangeable and can be used in a selected embodiment, even if not specifically shown or described. The same may also be varied in many ways. Such variations are not to be regarded as a departure from the disclosure, and all such modifications are intended to be included within the scope of the disclosure. 

What is claimed is:
 1. A computer-implemented method for use in authenticating a user based on biometric data, in connection with a network transaction by the user, the method comprising: receiving, by a computing device, an authorization request for a network transaction by a user, the authorization request including biometric data representing at least a first biometric of the user and a second biometric of the user; transmitting the biometric data to a biometric registry, thereby permitting the biometric registry to verify the biometrics data; converting, by the computing device, the biometric data to a personal identification number (PIN) specific to the biometric data, when the biometric data is verified, wherein the first biometric is converted to a first character of the PIN and the second biometric is converted to a second character of the PIN; appending, by the computing device, the PIN to the authorization request; and transmitting, by the computing device, the authorization request to an issuer, thereby permitting the issuer to approve or decline the network transaction based, at least in part, on the PIN included in the authorization request.
 2. The method of claim 1, wherein the network transaction includes a payment account transaction by the user to a payment account; and wherein the issuer is associated with the payment account.
 3. The method of claim 2, wherein the first biometric of the user is a first finger of the user and the second biometric is a second finger of the user; and wherein the biometric data represents an ordered combination of at least the first biometric of the user and the second biometric of the user.
 4. The method of claim 2, further comprising retrieving, from a data structure associated with the computing device, a unique identification (UID) number associated with the user; and wherein transmitting the biometric data includes transmitting the UID number to the biometric registry, whereby reference biometric data associated with the user is identified, based on the UID number, for use in verifying the biometric data included in the authorization request.
 5. The method of claim 4, wherein retrieving the UID number is based, at least in part, on a primary account number (PAN) included in the authorization request and indicative of the payment account.
 6. The method of claim 4, further comprising: storing, by the computing device, in the data structure, biometric data representing the first biometric of the user and biometric data representing the second biometric of the user, in association with the PIN and the user; and storing, by the computing device, in the data structure, biometric data representing the first biometric of the user and biometric data representing a third biometric of the user, in association with a different PIN and the user; wherein converting the biometric data to the PIN includes converting, by the computing device, the biometric data representing the first and second biometrics of the user to the PIN when the biometric data representing the first and second biometrics of the user is consistent with the reference biometric data.
 7. The method of claim 6, further comprising converting, by the computing device, the biometric data representing the first and third biometrics of the user to the different PIN, when the biometric data representing the first and third biometrics of the user is consistent with the reference biometric data.
 8. A system for use in authenticating a user based on biometric data, in connection with a payment account transaction, the system comprising: a data structure including first reference biometric data and a first associated personal identification number (PIN); and an authentication engine computing device in communication with the data structure, the authentication engine computing device configured to: receive an authorization request associated with a transaction to a payment account, the authorization request including a biometric combination associated with a user of the payment account, the biometric combination including fingerprint data from two different fingers of the user; verify the fingerprint data; convert the biometric combination to the first associated PIN when the fingerprint data is consistent with the first reference biometric data, wherein the fingerprint data from a first finger of the two different fingers is converted into a first character of the first associated PIN and the fingerprint data from a second finger of the two different fingers is converted into a second character of the first associated PIN; append the first associated PIN to the authorization request; and transmit the authorization request to an issuer associated with the payment account, thereby permitting the issuer to reply to the authorization request, based at least in part on the first associated PIN in approving or declining the transaction.
 9. The system of claim 8, wherein the authentication engine computing device is configured, in order to verify the fingerprint data, to: retrieve a unique identification (UID) number for the user based on the authorization request; transmit the fingerprint data and the UID number to a biometric registry; and receive a notice of verification of the fingerprint data from the biometric registry.
 10. The system of claim 9, wherein the authentication engine computing device is further configured to: solicit the user to enroll the biometric combination to the data structure; receive, from the user, enrollment biometric data for the biometric combination, the enrollment biometric data representing the first finger of the user and the second finger of the user; verify the enrollment biometric data with the biometric registry; and store, in the data structure, the enrollment biometric data as the first reference biometric data corresponding to the first associated PIN, when the enrollment biometric data is verified.
 11. The system of claim 10, wherein the authentication engine computing device is further configured to receive the first associated PIN from the user, prior to verifying the enrollment biometric data.
 12. The system of claim 8, wherein the data structure includes second reference biometric data and a second associated PIN; and wherein the authentication engine computing device is configured to convert the biometric combination to the second associated PIN when the fingerprint data is consistent with the second reference biometric data.
 13. The system of claim 12, further comprising an issuer computing device associated with the issuer, the issuer computing device configured to: identify at least one first rule when the first associated PIN is appended to the authorization request; identify at least one second rule when the second associated PIN is appended to the authorization request, the at least one second rule being different than the at least one first rule; when the first associated PIN is appended to the authorization request, decline the transaction when the transaction fails to satisfy the at least one first rule; and when the second associated PIN is appended to the authorization request, decline the transaction when the transaction fails to satisfy the at least one second rule, but satisfies the at least one first rule. 